SecurityFeed.info » HP ASC Portal

Feeds

23797 items (23797 unread) in 97 feeds

• Aviv Raff On .NET (18 unread)
• Bugtraq (bugtraq) Mailing List (605 unread)
• CGISecurity.com: Your Web Site and Application Security Resource (74 unread)
• christian's weblog (25 unread)
• Irongeek's Security Site (125 unread)
• Jeremiah Grossman (74 unread)
• Heorot.net (11 unread)
• milw0rm.com (440 unread)
• Nmap Hackers (nmap-hackers) Mailing List (7 unread)
• Packet Storm Security Advisories (373 unread)
• Packet Storm Security Exploits (461 unread)
• Packet Storm Security Headlines (376 unread)
• Packet Storm Security Last 100 (1841 unread)
• Packet Storm Security Last 20 (833 unread)
• Packet Storm Security Last 50 (1441 unread)
• Packet Storm Security Last Files (544 unread)
• Packet Storm Security Miscellaneous Files (109 unread)
• Packet Storm Security Tools (113 unread)
• Rootsecure.net (691 unread)
• SecuriTeam.com (184 unread)
• Security Vulnerability Research & Defense (36 unread)
• SecurityFocus News (139 unread)
• SecurityFocus Vulnerabilities (802 unread)
• Securityvulns news channel (336 unread)
• SecWatch - Latest Exploit Alerts (10 unread)
• Taking Network Security to the Streets (28 unread)
• The One And Only Matt Parnell.com (34 unread)
• The Register - Security (388 unread)
• The Register - Software (456 unread)
• VulnWatch (vulnwatch) Mailing List (19 unread)
• Web App Security (webappsec) Mailing List (88 unread)
• IceСμbeς (15 unread)
• Linmagazine (186 unread)
• ‫netcraft Bytes :) (38 unread)
• Digg (4021 unread)
• Blonde 2.0 (51 unread)
• The Microsoft Security Response Center (MSRC) (40 unread)
• (IN)SECURE Magazine Notifications RSS (17 unread)
• 0x000000 Security (78 unread)
• ----- Anti-Malware ----- Analysis and Defense (15 unread)
• Apple Fun (25 unread)
• Technorati Search for: aviv.raffon.net (201 unread)
• C.I.S.R.T. (10 unread)
• Determina Zero-Day Protection (6 unread)
• Didier Stevens (47 unread)
• eEye Digital Security - Research Blog (10 unread)
• Ryan Naraine's Security Watch (96 unread)
• Security - RSS Feeds (179 unread)
• Exploit Prevention Labs (28 unread)
• Software Vulnerability Exploitation Blog (22 unread)
• F-Secure Antivirus Research Weblog (74 unread)
• Full Disclosure (290 unread)
• George Ou (10 unread)
• GNUCITIZEN Media Portfolio (65 unread)
• ha.ckers.org web application security lab (35 unread)
• heise security (342 unread)
• invisiblethings' blog (35 unread)
• Jeff Jones's blog (12 unread)
• JScript Blog (16 unread)
• Matasano Chargen (38 unread)
• McAfee Avert Labs (66 unread)
• Michael Howard's Web Log (26 unread)
• PandaLabs (35 unread)
• Zero Day (273 unread)
• SANS Internet Storm Center, InfoCON: green (231 unread)
• Latest Secunia Security Watchdog Blog Entries (24 unread)
• SecuriTeam Blogs (65 unread)
• Security Fix (115 unread)
• HP ASC Portal (30 unread)
• Strike Center (12 unread)
• Sunbelt Blog (216 unread)
• Sunnet Beskerming Security Advisories (29 unread)
• Technobabylon
• The Recurity Lablog (31 unread)
• Wired: Threat Level (454 unread)
• TrendLabs | Malware Blog - by Trend Micro (158 unread)
• Uninformed Journal (44 unread)
• WabiSabiLabi's blog (22 unread)
• WatchGuard Wire (48 unread)
• Latest Blog Entires From WebSense Security Labs (42 unread)
• Hackszine.com (151 unread)
• DVLabs: Blogs (63 unread)
• Errata Security (81 unread)
• Robert Hensing's Blog (71 unread)
• PaulDotCom Community Blog (10 unread)
• David LeBlanc's Web Log (20 unread)
• Billy (BK) Rios (19 unread)
• David Litchfield's blog (21 unread)
• Farfromr00tin (23 unread)
• aut disce, aut discede (17 unread)
• pwn* (16 unread)
• hackademix.net (42 unread)
• SecurityDot Vulnerabilities (421 unread)
• Vulnerabilities & Exploits (29 unread)
• Malicious Code (26 unread)
• Security Risks (21 unread)
• Digg / Security / upcoming (4162 unread)

HP ASC Portal (10 unread)

• May 24, 2008
• 1:25

  Portal.spidynamics.com is moving soon to a new home!

   » ‎ HP ASC Portal

  Hi everyone, I'm happy to announce that we have started the migration process for portal.spidynamics.com to it's new home. We will be announcing the new site in about 5 days. During the migration we have set our forums to read-only and won't be accepting comments on blog postings (except for this blog!) until after the move. The new site is going to be great and we can't wait to show it to you so stay tuned!
  

  If you have any questions, please feel free to comment here and we will do our best to answer them.

   

  Thanks,

  The HP Application Security Communities Team
  

  
• May 23, 2008
• 21:56

  PCI Knowledgebase

   » ‎ HP ASC Portal

  For my inaugural post, I wanted to share a new PCI resource with you all.  The PCI Knowledgebase boasts the membership of PCI experts that range from QSAs,to Merchants and Service Providers.  David Taylor, the founder, has conducted over 100 hours of interviews with the experts to create perhaps the most complete PCI information resource out there right now.

  Have a look and sign up for the forum.

  Although it's brand new, I expect it to be one of the go-to resources for PCI questions and answers in the future.
   

  
• May 15, 2008
• 21:16

  Hybrid Analysis - The Answer to Static Code Analysis Shortcomings

   » ‎ HP ASC Portal

  Hybrid Analysis - The Answer to Static Code Analysis Shortcomings

      Given my previous article and the buzz it generated (both for and against the ideas I set forth)... I needed to hurry-up and write the follow-on article for "Static Code Analysis Failures".  I've had so many conversations with people about Hybrid Analysis, and "why static code analysis fails" I've come to realize a few things, and wanted to share more of the base for my mindset...

  • Definition: Most of the folks I've spoken to (developer to security "expert") have a mis-guided idea of "static code analysis".  With that in mind, here is the definition from the Wikipedia...

  Static code analysis is the analysis of computer software that is performed without actually executing programs built from that software (analysis performed on executing programs is known as dynamic analysis). In most cases the analysis is performed on some version of the source code and in the other cases some form of the object code. The term is usually applied to the analysis performed by an automated tool, with human analysis being called program understanding or program comprehension. 

  • Concept: The whole reason we (security professionals) have pushed to get a security tool into the "development" part of the SDLC is that it's easiest to fix defects when the code is still being worked on and built.  We all know patching is a recipe for disaster, no one will argue that - so the idea in itself was sound.
  • Evolution: As the evolution of security marches on we have seen the evolution of "static code analysis" move forward as well.  The concept of the traditional white-box testing strategy has gone from sending your code to a human being who would read it, line-by-line and provide an analysis of that code to programs which are essentially smart enough to build the code, trace "source-to-sink" and build data flow models and attack vector simulations. I am writing to contend that we have moved on in the next step of the evolution.  Building the code and doing a "source-to-sink" trace with simulated attack scenarios is no longer good enough. (more on this in a minute)
  • Comprehension: It seems a few folks have missed the point of what I was talking about.  I'm not saying that this type of testing (white-box, source-analysis, whatever you call it) shouldn't be done.  Quite the opposite my friends - "code analysis" is vital to the success of any good security SDLC.
  • Solutions: Everyone quickly jumped on my case to defend whatever tools their company makes or uses... but I think I did my best to not attack any particular tool or vendor... hrmmm...

      OK so now let's talk about what the answer to this whole mess of analyzing web-borne code is going to be.  How will we, as security professionals, continue to be relevant to developers and the roots of the Software Development LifeCycle?  I tell you that the future lies in what I can only call "Hybrid Analysis".  This isn't a term I've developed, in fact, the term can be attributed to the developers of a certain software tool which is now distributed and built by the HP ASC group (to which I belong).  Without turning this into a marketing pitch, I want to explain to you why the leap I made in the above bullet-point titled "evolution" is valid, and why you should care.

      I love the quote I put in my first article so I think it's worth repeating... "Machines do not execute source code, they execute machine code"... absolutely true.  So when people used to work with source code we can now understand why they only got the answers part of the time.  Yes, I fully realize most modern source-scanners "or white-box scanner" tools don't just grep through code, as someone suggested at a blog posting that quoted me.  In fact, I'll go out on a limb and say that to grep through the code for "vulnerabilities" is about as effective as anti-virus and IDS (both pattern-based recognition)... there are so many permutations of the bad/malicious that those tools are inherently broken.  Anyway - to get back on track, I want to talk about this term "hybrid analysis".

      What is Hybrid Analysis?  (And more importantly, why do you care?)  Hybrid analysis is the culmination and what I feel is the inevitable cross between white-box and black-box testing.  I'm not sure if "gray-box" is the proper term or not, so I'll just keep using Hybrid Analysis for the sake of not mixing things up.  Hybrid analysis analyzes the byte-code that a source-compiler generates and builds your standard "source-to-sink" data-flow model but then moves beyond the limitations of that approach by taking that "knowledge" of the application and submitting it seamlessly into a (modified) black-box scanner built into the solution.

      Picture it - you have the blueprints of the bank vault, so you can try all the ways to theoretically break into the vault, then you hand those theoretical attack plans to a grunt who takes your information and goes and actually tries each of those attack vectors with multiple permutations and attack parameters to make the score and break in.  That my friends, is the proverbial Holy Grail of application security testing.  Data-modeling will only get you so far, before you have to actually try the attack to make sure it really works.  Now, given the many parameters involved, for example, external libraries, compiler behavior, and so on that influence the way code actually behaves it's conceivable that you can accomplish this feat I've described without the hybrid analysis approach (the modified black-box scanner) ... but then I think you're looking at an incredibly complex and almost AI-driven analysis tool... and I simply don't believe that technology exists or will exist.  I'm the kind of person that has to see something being broken before I'll believe it's real.  Give me the proof.

      If you take the hybrid approach - the proof looks you in the face each and every time.  As a nice side-effect you can virtually forget false-positives!  Source code scanners are infamous (notorious even!) for generating a lot of false-positives.  This has always been one of the many reasons developers argue against using these tools.  But what if you could offer your developers a way to eliminate those false-positives with little or no human intervention or double-checking?  If you're still skeptical, I'll be happy to have someone from our team demonstrate how this type of approach works, yes - we have it exclusively in our toolset.

      So let's recap.  Here are all the ways that Hybrid Analysis will save the world (joking):

  • Reaches well beyond modern "source-to-sink" data-flow modeling for vulnerability detection
  • Addresses 3rd party components by reflection (analyzing byte-code or IL of DLLs, JARs, etc)
  • Provides a real validation of the theoretical attack scenarios that the above step generates
  • Virtually eliminates false-positives!  This is a nice side-effect of testing using the Hybrid Analysis method

  
• May 13, 2008
• 22:42

  News Flash: phpBB Massive Hack

   » ‎ HP ASC Portal

  ComputerWorld is running an article from Paul Ferguson of TrendMicro claiming that there is a massive hack going on as you read this - via the phpBB bulletin-board software.  Truth be told, phpBB has been known to be bug-ridden over the years (simply Google "phpBB vulnerability" and you'll get more than you wanted) but I believe that these have come to a boiling point now.  If it's actually true, the number of site that was hacked stands at ~500,000, it would point to a massive problem within phpBB's code which likley hasn't been disclosed yet.

  What worries me is not that these sites are being hacked (because this is a "normal" occurrence these days) but that they're increasingly effective.  While a half-million web sites being broken into isn't something to sound the alarm over - and this is truly a sad commentary on the state of web security today - the precision and effectiveness of these types of attacks is scary.  Furthermore, the "drive-by" installations of malware, trojans and other unwanted stuff on your computer is the stuff that security managers worry about at night.  Just think of the amount of data that a half-million key loggers can pull?  Think of the potential fallout of having to re-load (because cleaning isn't possible most of the time) every machine at your office... the possibility boggles the mind.

  What comes out in incidents like this, and sadly people still do not understand, is that an insecure web application/site does more than just possibly damage the host.  A vulnerable site leaves its visitors vulnerable, which sets off a chain of reactions that resonates back into the CISO's office at any company that allows its users to browse the Internet.  More on this in a future post.

  While I know it's rather un-common to have a php-facing application like this in an entierprise - it's definitely not impossible so I felt like I needed to notify and warn you readers.  More as information comes in... if it comes in.

  
• May 12, 2008
• 21:28

  Top Five Web Application Vulnerabilities 4/28/08 - 5/11/08

   » ‎ HP ASC Portal

  1) SAP Internet Transaction Server Multiple Cross-Site Scripting Vulnerabilities

  SAP Internet Transaction Server is susceptible to multiple instances of Cross-Site Scripting.  If exploited, these vulnerabilities could give an attacker the means to perform account hijacking, execute malicious scripts, or steal proprietary information. A solution is reported to be available in SAP note 1052053. Contact the vendor for further details.

  [www.securityfocus.com]

  2) Sun Java System Web Server Search Module Cross-Site Scripting Vulnerability

  Sun Java System Web Server Search Module is susceptible to a Cross-Site Scripting vulnerability. If successfully exploited, this vulnerability could allow an attacker to steal confidential information and cookie-based authentication credentials, and possibly lead to execution of arbitrary code in the browser of an unsuspecting user.  A fix has been released. Contact the vendor for additional information.

  [www.securityfocus.com]

  3) Sun Java System Directory Proxy Server Remote Unauthorized Access Vulnerability

  Sun Java System Directory Proxy Server is susceptible to a remote unauthorized access vulnerability. An attacker can leverage this vulnerability to gain administrative access to the affected server. An advisory and fixes for this issue have been released. Contact the vendor for more details. 

  [www.securityfocus.com]

  4) Sun Java System Application Server and Web Server JSP Information Disclosure Vulnerability

  Sun Java System Application Server and Web Server are prone to an information-disclosure vulnerability. An attacker could leverage this issue to obtain sensitive information which could possibly be used to orchestrate more dangerous attacks. An advisory and updates which address this issue have been released. Contact the vendor for additional information.

  [www.securityfocus.com]

  5) Zen Cart 'keyword' parameter SQL Injection and Cross-Site Scripting Vulnerabilities

  Zen Cart is susceptible to SQL Injection and Cross-Site Scripting vulnerabilities. If exploited, these vulnerabilities could lead to compromise of the application, the theft of confidential information and authentication credentials, or be utilized in conducting additional database attacks. A fix has not yet been released. Contact the vendor for more information.

  [www.securityfocus.com]

  
• May 07, 2008
• 0:32

  Static Code Analysis Failures

   » ‎ HP ASC Portal

  Static code analysis failures are costing enterprises money and reputation.

  White-box security testing is inherently a flawed proposition for many reasons -but it all comes down to a very simple concept:

    Machines do not execute source code, they execute machine code (compiled code). --Paul Anderson (GrammaTech)

    If you think this through for a minute you realize that there are a few specific reasons why the above statement fundamentally changes the way that people look at white-box testing, and why this is a losing proposition.  Let's analyze this in the context of a web application project for a mythical online bank.  Consider that the use-case here is that we are dealing with a bank that has an online presence (currently being analyzed) which will be integrated with a series of existing legacy applications, partners, and external 3rd party components.  Given this information let's analyze why white-box analysis (or static source-code analysis) is doomed to fail this project with respect to security.

  • Compiler Optimizers Break Things - Think of it this way, compilers are designed to make machine code from your source code.  That compiler's sole purpose (in most cases) is to create machine code that will be optimized, extremely fast-executing, but not necessarily secure.  Often times security functions that people build into source code can be removed by compiler optimizers and most often without our knowledge.  These actions often undo many of the advanced security features that developers may consciously insert into their code.  Consider the following example:
  • Developer is paranoid about data-persistence in memory space, and wants to be doubly-sure that variables are expired and destroyed
  • Developer writes a routine whereby the variable will have a null value written to it before the memory is freed
  • Compiler optimizer sees this as a double-work scenario, and removes the null-value portion and simply opts to free memory
  • A potential security vulnerability is created with variable persistence in freed memory space

  This example ideally demonstrates how a security vulnerability can be inserted in spite of the developer's best efforts to write secure code.  Standard static-code analysis tools which are used to "scan code" at the static-file level will fail to catch this vulnerability.  Quite simply - static code analysis fails if it is not supplemented with dynamic analysis.

  • 3rd Party Library Integrations - There is another threat to developing and scanning static code in a white-box format.  Inevitably, 3rd party libraries are used to complement features or functionality that are not natively provided by the local development effort.  After all, no one re-invents the whole wheel everytime - we simply build what we cannot reuse from someone else's work, then use the publicly available libraries from 3rd parties to fill in the functionality and features that have already been written and (hopefully) tested before.  White-box testing (or static code analysis) will absolutely fail in finding flaws when it comes to pulling in 3rd party libraries.  By the definition of this type of issue, 3rd party libraries rarely provide you the source to be scanned and checked for weaknesses that will affect your application.  What you're left with is someone else's code (in machine-compiled format!) which will be interacting with your application.  Would you trust that model?
  • Static Code Analysis Rarely Understands Data-Flow Modeling (Data Tracing) - If you're scanning your application with a source-code-only analysis tool, you're going to not only miss things that will almost certainly come back to haunt you - but you may also be over-working yourself without a real purpose.  Consider the following example to illustrate my point.  Before I get into that example though, allow me to explain this idea of "data-flow modeling" for those that are not familiar with this idea.Data-flow modeling seeks to understand how data moves through your application, not just how the application code is written.  After all, that's the whole pointn of the application, to work with data.  Vulnerabilities lie in manipulating data either to or from the end users or the server(s).  Data-flow modeling maps out the data in your appliaction from it's instantiation (maybe when the user types it in) to its resting state (maybe when it's finally written to a database, or handed off to another application or service for additional work).  That being said let's consider a web application that has 1,000 forms across 100 pages written in the language of your choice, built to be AJAX.  While each page does nothing individually to validate user input (the data source) all variables (data) are filtered through a central validation module deep within the application logic.  A standard source-code analysis tool (I have evaluated this and can honestly say this is a real use-case but will not mention the tool) will flag on each and every input that is not validated (within the page) as vulnerable to hudreds of vulnerabilities ranging from XSS (Cross-Site Scripting) to SQL Injection and other attack types.  What you are left with is a very lengthy report with hundreds of critical and high vulnerabilities that you now obviously must address... unless you do some dynamic analysis on the code and realize that *none* of those theoretical vulnerabilities are exploitable due to the fact that the application filters all data through the central validator/scrubber.

  So, there you have it.  Static code analysis is inherently doomed to fail.  White-box testing of source-only is flawed.  The sky is falling, global warming will kill us all.  In my next installment of this column, I'll give you what you need to know to avoid failing in your security initiatives at the development step of the SDLC - remember, knowing is half the battle.

   Stay tuned!

  If this information disturbs you, and you would like to talk about it directly please don't hesitate to email me directly.  I am not a sensationalist, and pride myself on presenting practical solutions to real-world problems which are realistically attainable.  Thanks for reading.

  
• May 01, 2008
• 21:24

  Security and Compliance - Strange Bedfellows Indeed

   » ‎ HP ASC Portal

    It's a classic problem of which came first... the chicken or the egg?  politics or corruption?  security or compliance?  While I admit, it's not such a strange thing to see the two groups working together these days... I would like to point of some of the issues that I've come across between these two very important groups in today's enterprises.

    The issue of compliance is much like the issue of legal counsel.  All large enterprises, and even most small business have someone that's responsible for compliance - occasionally you'll see an entire department dedicated to the daunting task of keeping up with regulations, compliance policies, and the ever-changing landscape of procedural accountability.  Oddly enough, there is not a one-to-one relationship between the compliance department and a security department.  I've spent a large portion of my IT career in situations just like this and I would like to share some of my understanding with you.

    Compliance, while not always a necessity in private businesses, is almost always present in larger, pubilc enterprises.  The compliance department is responsible for making sure the business is in-line with self-imposed corporate regulations and policies, industry-consortium regulatory guidance, government oversight and policy even international laws too!  It's amazing these groups can even keep this stuff straight, right?  What's equally amazing is how often compliance relies on IT Security for guidance and implementation of compliance components. This of course begs the question - would IT Security exist in some organizations if there was no compliance stipulation for such groups?  On the flipside of that... in a perfectly secure world where no one is ever malicious - what would be the need for the compliance group?  So while it may be a stretch to say that one group cannot function properly without the other (I will concede that they can, albeit poorly) each is heavily dependant on the other for its very existence within a business.  This is where I find some strange... interactions.

    As I've stated, the security team often carries out part of compliance policy or regulations; or performs audits to ensure that the same regulations are being followed - but I feel like even in these cases the synergies between these groups are under-utilized.  I can't count the number of times I've been turned down for an IT Security initiative (which made perfect business sense, by the way - but was simply under-funded) only to push that same initiative through under the guise of a compliance regulation - through the compliance team.  In return... the compliance teams I've had the pleasure to work with have repeatedly called upon my security resources to be the "muscle" behind their policies.

    As I travel and talk to different groups about Application Security, I am agaff at the number of times that I get an entirely blank stare when I try to explain how leveraging compliance is a sure-fire way to get security initiatives done.  Here's my reasoning... see if you disagree...

  • Compliance is a "necessary evil" which exists to keep the business in good legal and regulatory standing
  • IT Security exists to keep the balance of risk/reward within the business IT as balanced as possible
  • IT Security should be looking to enact initiatives which work to support the business

    If you take all 3 points above as truth (and I firmly believe they are) then it's a logical next-step to say that IT Security initiatives and Compliance initiatives will greatly overlap.  An overlap within two very necessary units of the enterprise will always, without fail, lend more credibility to their efforts and causes.  If both the security and compliance teams are pushing the same agenda, it becomes very difficult for a business owner to simply dismiss that agenda as unnecessary or frivolous.

    So a lesson-learned here - if you're not already doing this... here are some very simple yet extremely effective (based on personal experience and first-hand accounts) techniques for getting things "done".

  • Open a regular dialogue with your complaince team.  Meet once a quarter, once a month, or once a week as permissable to discuss what you're independently working on
  • Find overlaps in your goals from a non-technical perspective
  • Create a joint strategy for compliance and technical implementation of initiatives previously agreed upon
  • Review business requirements jointly - ensure that both groups understand each other's point-of-view

  Given these very simple, and probably obvious, steps - I can virtually guarantee a more successful IT Security goal achievement.  You'll work less uphill, you'll "win" more often, and you'll do a much better job not only understanding but supporting your business - that makes everyone happy.

  
• April 28, 2008
• 23:08

  Top Five Web Application Vulnerabilities 4/14/08 - 4/27/08

   » ‎ HP ASC Portal

  1) IBM Lotus Expeditor URI Handler Command Execution Vulnerability

  IBM Lotus Expeditor is susceptible to a remote command-execution vulnerability because user-supplied input is not properly sanitized. Attackers who successfully exploit this issue can execute arbitrary commands in the context of victims who follow malicious URI's.  A fix has not yet been released. Contact IBM for more information.

  [www.securityfocus.com]

  2) F5 Networks FirePass 4100 SSL VPN 'installControl.php3' Cross-Site Scripting Vulnerability

  F5 Networks FirePass 4100 SSL VPN is susceptible to a Cross-Site Scripting vulnerability. If exploited, this vulnerability could give an attacker the means to perform account hijacking, execute malicious scripts, or steal proprietary information. An update which resolves this vulnerability has been released. Contact the vendor for additional details.

  [www.securityfocus.com]

  3) HP OpenView Network Node Manager Running Apache Multiple Vulnerabilities

  HP OpenView Network Node Manager when running Apache is vulnerable to multiple vulnerabilities including Cross-Site Scripting and Denial-of Service attacks. If successfully exploited, these vulnerabilities could allow an attacker to steal confidential information and cookie-based authentication credentials,  possibly lead to execution of arbitrary code in the browser of an unsuspecting users, and be used to deny access to legitimate users. Patches which resolve these issues have been released. Contact the vendor for more details.

  [www.securityfocus.com]

  4) Novell GroupWise HTML Injection and Denial-of-Service Vulnerabilities

  Novell GroupWise is susceptible to HTML Injection and Denial-of-Service vulnerabilities. HTML Injection can be leveraged to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Denial-of-Service attacks can be exploited to crash the application and deny access to legitimate users. A fix has not yet been released. Contact the vendor for additional information.

  [www.securityfocus.com]

  5) RSA Authentication Agent for Web URI Redirection Vulnerability

  RSA Authentication Agent for Web is susceptible to a remote URI-redirection vulnerability because inadequate data sanitization is performed on user-supplied input. Exploitation of this vulnerability could aid in phishing-style attacks. RSA Authentication Agent for Web 5.3.3.378 resolves this issue. Contact the vendor for specific upgrade information.

  [www.securityfocus.com]

  
• April 22, 2008
• 19:18

  Navigating the PCI DSS Standards...

   » ‎ HP ASC Portal

  For those of you who keep up with the PCI DSS standard, the coucil today has issued an update titled: Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified.

    The standard item 6.6 has been further clarified in one of two options, as before, being either Application Code Reviews or an Application Firewall.  I'll address the first option, since that is the more logical one, but will briefly talk about the Application Firewall as well - just to clear the air a bit.  While the Standards Council continues to add clarification, which makes the standard more usable, more opportunities for compliance surface with less cost and effort.  No doubt the IT manager feels like this is a good thing because now the cost of compliance won't necessarily be astronomical - and thereby make it viable.  As we all know, the issue of compliance to a non-government regulation is always a balancing act.  Compliance, as with most security components, is an equation balancing risk against spending and business value.  We all know the results... if the equation balances just right, the business benefits from the added security and sees value while not spending more money than the risk is worth - and security feels worthwhile because risk has been decreased by some factor which affects the business in a positive manner.  Granted, it doesn't always work out quite so rosy - but the PCI DSS standard is going a long way to make sure that these equations that happen every day, in many businesses throughout the world - balance.

    Now - on to the meat of the standards update.  First off, let me address the Web Application Firewall issue.  While this is a topic that deserves a whole article onto itself, the short version is this - web app firewalls are very expensive, complex band-aids.  That's the reality.  While many of them work phenomenally well, and in fact I can name a few that do, they are difficult to implement into an existing production environment, they are primarily signature-based (remember how well we stop "unknown" viruses?), or have some other architectural quirk that makes them an impossibility in your enterprise.  Personally, at my previous company I started to implement a particular WAF ... but it took over a year and a half of research, testing, approvals, and more testing to get them into a newly built environment... not even into a legacy production environment where they would have provided the most value.  Anyway... the point is - a WAF is a tool you use when you don't have the resources to "do it right"... fix the code itself.

    Section 6.6 of the PCI DSS standards, option 1 (the Application Code Reviews) now has 4 basic alternatives.  Candidates are urged to implement at least one of the following...

  • Manual review of application source code
  • Propse use of automated application source code analyzer tools (static code scanners)
  • Manual web application security vulnerability assessment
  • Propse use of automated web application security vulnerability assessment tools

    First, a few things of note.  The above does not necessarily call for a "penetration test" which exploits vulnerabilities by an ethical hacker... only an "assessment" (which identifies but does not exploit) vulnerabilities is required.  The distincion is important because it means that you can now do this on production code, or a production environment without the risk of damaging your applications by necessity to prove their vulnerability.

    I find it interesting that the update goes and directly says "In all cases, the individual(s) must have the proper skills and experience to understand the source code and/or web application, know how to evaluate each for vulnerabilities, and understand the findings".  The fact that the DSS requirement 6.6 now specifically addresses competence in the assessor should mean that there was some ... question... over the competence of assessors or possibly a need to specifically stamp out that only qualified people should be doing assessments.  Interesting, at either angle.  The same statement goes for assessors using automated tools - but now we have an interesting proposition.  Do you (a) hire an extremely qualified application vulnerability tester, or (b) hire a knowledgeable user, and give him a software testing/scanning tool and some training... and are those even the same?  Obviously the dollar amounts for the two are different... or are they?  There is also the point about the testers having to be (the authors use the word "should be") organizationally separate from those writing the code... well that makes sense.  No one wants the fox guarding the hen-house, right?  You don't want the same developers that are potentially churning out insecure code to then review it and give themselves gold stars.  So far so good.

    So now we have 2 options for doing this internally - which will help our bottom line (external 3rd parties are typically very, very expensive)...

  1. First option is to do an SDLC-integrated code review... actually reviewing the application code before it gets compiled and leaves the development group's control.  We have the option to do it manually, or with some tools - using only highly trained and knowledgeable people.
  2. Second option is to do a post-development analysis of the code.  Once the code is written, built, and tested for usability issues it's time to security-test it with, again, either a human being, or some black-box testing tool(s) - but again, you must use trained and knowledgeable people here as well.

    Well, if I'm a security manager...this is great!  Thinking logically - you always want the security expertise in-house, and why in the world wouldn't you want to do application security throughout the application lifecycle?  The DSS update also goes on to remind us of requirement 6.3, and the need to have an effective change-control process such that the security reviews are not bypassed, at any level.  While the final sign-off must be done when the code is ready for production - it's imperative that the effectiveness of the application security policy be enacted to push as far back into the development (pre-development planning?  requirements gathering?) lifecycle as possible (more on that in a separate article).

    As a final note - the update talks about the need to stay current and abreast of new developments in application security testing.  It's essential that whatever tools are purchased (whether they be the full SDLC suite from HP/ASC, or some other vendor) - that these tools and their users be continually updated from the brightest minds in the field.  This is unfortunately a one-up battle against the "bad guys"... if you're behind you're sunk.

  So what have we learned from the new Section 6.6 update?

  • There are at least 4 ways to interpret the "Application Code Review" guideline
  • You can have your code "reviewed" internally, as long as your assessor is trained and competent (but to who's qualifications?)
  • You can use automated tools, either static code analysis or black-box testing software, if you have your people trained in those tools, and application security
  • Your testers/assessors have to be organizationally separate from the development organization (but at what level?)
  • Your organization should absolutely integrate application security as early into the SDLC as possible, using "tools and rules" in combination
  • Your testers should always be up-to-date on the latest developments, techniques, and methods... otherwise you're bringing a knife to a gunbattle

  Thanks for your attention!

  
• April 15, 2008
• 0:16

  Top Five Web Application Vulnerabilities 3/31/08 - 4/13/08

   » ‎ HP ASC Portal

  1) F5 BIG-IP Web Management Interface 'NEW_VALUE' Parameter Remote Code Injection Vulnerability

  F5 BIG-IP Web Management Interface is susceptible to a remote code injection vulnerability. Attackers who successfully exploit this vulnerability could execute arbitrary code with the privileges of the user of the affected application. A fix has not yet been released. Contact the vendor for additional information.

  [www.securityfocus.com]

  2) Cisco Unified Communication Manager Multiple Vulnerabilities

  Cisco Unified Communication Manager is susceptible to multiple remote vulnerabilities including instances of SQL Injection, information disclosure, and unauthorized access. If exploited, these vulnerabilities could lead to compromise of the application, leveraged to gain unauthorized application access, or utilized to obtain sensitive information. A fix has not yet been released. Contact Cisco for further details.

  [www.securityfocus.com]

  3) Drupal Menu System Security Bypass Vulnerabilities

  Drupal is susceptible to multiple security-bypass vulnerabilities via the menu system because the application fails to properly control access to certain pages. Successful exploitation would give an attacker access to sensitive information which could likely be utilized in orchestrating more damaging attacks. Updates which resolve these issues have been released. Contact the vendor for more information.

  [www.securityfocus.com]

  4) Microsoft SharePoint Server Picture Source HTML Injection Vulnerability

  Microsoft SharePoint Server is susceptible to an HTML Injection vulnerability. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. An attacker needs to utilize a user account with page editing privileges to successfully exploit this vulnerability. A fix has not yet been released. Contact Microsoft for additional details.

  [www.securityfocus.com]

  5) SAP NetWeaver Filesystem Feedbacks Cross-Site Scripting Vulnerability

  SAP NetWeaver is susceptible to a Cross-Site Scripting vulnerability. If exploited, this vulnerability could give an attacker the means to perform account hijacking, execute malicious scripts, or steal proprietary information.  Note that this issue can be resolved by activating 'Secure Editing' in the Portal. Contact the vendor for more information.
  [www.securityfocus.com]